If a rule’s conditions are met, there are a number of options you can set to determine how the rule processes the command. You can configure a rule to:

Display a message to the user submitting the command

Capture the user session for reporting and auditing purposes

Authorize or not authorize the command to be run

Specify what further rule processing to do. The rule can specify that the processing of additional rules ends by using the stop conditions (Stop, Stop if authorized, Stop if unauthorized).

When the Framework Manager receives a command request, the evaluation starts at the top of the rule tree. Even when a request matches a rule, the evaluation continues until a rule has a stop condition or the rule tree has been processed.

You can also:

Specify the user and host to run the command

Set a risk level for use with keystroke reports

Assign an audit group to the rule for use with the Compliance Auditor.

NOTE:If you are using a different user (run user) to run an authorized command than the user who submitted the command (submit user), by default the submit user’s environment variables are used for the run user. If you want to use the environment variables associated with the run user, you can add a script to your rule containing the following text:

Move the rule to the correct position according to the order in which you want to process your rules.

When a user issues a command under Command Control, the following rule processing takes place:

The conditions set for the first rule in the hierarchy are checked.

If there is a match, the rule is processed. Depending on how the rule is configured, processing of additional rules takes place or stops. If rule processing is not stopped, the next rule for which conditions are checked is the child of this rule. Rule checking and processing continues until it is stopped by a rule, or until all appropriate rules have been processed.

If there is no match, the conditions for the next rule at the same hierarchical level as the first rule are checked, and this continues until a match is found. Rule processing then takes place as described above.

You can change the default order of rule processing on the Modify Rule screen, or by using scripts. See Modifying a Script.

5.6.2 Modifying a Rule

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule you want to modify.

Click Modify Rule in the task pane.

Make the changes you want:

Name:
Change the name of the rule.

Disabled:
To disable the rule, select the Disabled box. A disabled rule is dimmed.

Description:
Specify a description of the rule.

User Message:
Specify a user message to be displayed to the user when this rule is processed, before any commands are run.

Session Capture:
Select either On or Off. Setting Session Capture to On allows the Audit Manager to perform keystroke logging for the rule. To view a captured session from a Command Control report, an Auditing Manager and the Reporting Console must be installed.

Authorize:
Select either Yes or No, depending on whether you want the command protected by the rule to be authorized or not authorized if the rule conditions are met.

Define what happens next by using the drop-down list as follows:

Blank:
The next rule in the hierarchy is checked.

Stop:
No more rules are checked for the command.

Return:
The next rule to be checked is up one level in the hierarchy from the current rule.

Stop if authorized:
If Authorize is set to Yes, no more rules are checked for the command.

Stop if unauthorized:
If Authorize is set to No, no more rules are checked for the command.

Run User:
Define a run user by selecting the name of the user you want to run this command (this overrides any username defined through a set command).

Run Host:
Define a run host by selecting the name of the host on which you want to run this command (this overrides any hostname defined through a set command).

Risk Level:
Set a Risk Level of 0 to 99. This option allows you to set a value representing the relative risk of a rule when using the rush or crush clients with the session auditing option (see Section 5.2, Integrating Command Control into User Environments). When viewing a Command Control Keystroke Report, you see commands controlled by rules with different risk values represented in different colors.

Audit Group:
Define an Audit Group. This setting is for use in Compliance Auditor reports.

Click Finish. The settings you have defined for the rule are displayed in the console.

5.6.3 Setting Conditions for a Rule

You can set a number of conditions for a rule to determine whether the rule is processed or not. For example, you can set a particular command as a condition, and only process the rule if a user enters that command.

There are two ways of setting conditions for a rule:

Dragging an entity onto the rule.

Using the Edit Condition option, as described in the steps below.

NOTE:When you drag an entity onto a rule, you might need to edit the condition to ensure that the condition logic is what you want. If you want to use a script in rule conditions, you must set it to Conditional first (see Modifying a Script).

To set conditions by using the Edit Condition option:

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule for which you want to set conditions.

Select the currently defined condition in the right pane. If you have not yet defined a condition, this is Match All.

Select Edit Condition in the task pane.

In the Add Condition drop-down list, select the type of condition you want. The condition is displayed on the screen.

Set the condition to the value and logic you want. For example, if you set a condition to match a run user to a user group:

Change user (submit user) to run user.

Leave the logic setting as IN.

Select the user group you require from the user group drop-down list.

Repeat Step 6 and Step 7 for any other conditions you want. Set the condition logic as necessary.

You can use parentheses to group conditions according to the necessary logic by selecting the parentheses ( ) entry from the Add Condition drop-down list. The opening and closing parentheses are displayed.

Select the opening parenthesis.

Select the condition type you want to place inside the parentheses and set it as necessary.

Select the opening parenthesis again.

Select another condition type to place inside the parentheses and set it as necessary.

If necessary, change OR to AND.

Repeat Step 8.d through Step 8.f for any other conditions you require inside this set of parentheses. You can also place parentheses within parentheses.

Click Finish.

5.6.4 Removing Conditions for a Rule

You can remove all the conditions for a rule, or you can remove individual conditions.

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Use the arrow to display the rules and select the rule for which you want to remove conditions.

Select the currently defined condition in the right pane.

To remove all conditions, click Remove Conditions in the task pane, then click Yes.

The rule condition is returned to Match All.

To remove individual conditions, click Edit Condition in the task pane, select the condition to remove, then click Finish.

5.6.5 Configuring Script Arguments and Entities for a Rule

You can configure script arguments and entities for the scripts assigned to a rule before or after assigning the scripts. You can define only one set of arguments and entities, which applies to all scripts assigned to a rule.

5.6.7 Removing Script Arguments and Entities

To remove a script entity, select the icon next to the name of the entity, then click Remove.

5.6.8 Removing a Script from a Rule

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Use the arrow to display the list of rules, then select the rule from which you want to remove a script.

Select the script you want to remove in the right pane.

To select multiple scripts, press the Ctrl key and select the required scripts one at a time, or press the Shift key to select a consecutive list of scripts.

Click Remove Script in the task pane.

Click Yes to confirm the removal. The scripts are removed from the rule.

5.6.9 Populating LDAP Group Scripts

Command Control policies give you additional options to control the execution of commands. For example, you can use a policy to restrict the rights and roles of a command so that the command works only for one particular directory, file, network address, or system call.

Configuring a Command Control Policy

A command control policy is defined by using the policy script arguments. A policy script argument specifies the access rights of the applications based on the path, network, and capability.

Click Command Control on the home page of the console.

From the Command Control Sample Scripts, add the Enhanced Access Control Policy script.

Drag the Enhanced Access Control Policy script from Scripts to Authorizing Rule.

Click the Authorizing Rule and access the Script Arguments.

Create a script argument with a name policy and add that policy to the Value field.

Configuring a Path Policy

A Path policy is a type of command control policy that restricts an application from accessing a specific directory based on the path.

The syntax of a Path policy is as follows:

path [owner]<path><capability:capability:!capability>

owner specifies the file or directory ownership that should match with the current user ID.

path specifies a particular directory based on the path. Replace path with any of the following options:

Table 5-3 Path Options

Option

Description

/dir/file

Specifies the file that the application can access in the /dir/directory.

/dir/

Specifies the directory that the application can access.

/dir/f*

Specifies a file that begins with f in the /dir/directory that the application can access.

/dir/*

Specifies that the application can access all the files in the /dir/ directory.

/dir/**

Specifies that the application can access all the files and the subdirectories within the /dir/directory.

/dir/**/

Specifies that the application can access all subdirectories that are recursively searched for in the /dir/directory.

/dir/**/*

Specifies that the application can access all the files that are recursively searched for in any subdirectory within the /dir/directory.

capability specifies the rights of the application. You can use the ! symbol in the syntax to denote a logical not. For example, all:!write grants all the rights except the write role.

Replace capability with any of the following options:

Table 5-4 Capability Options

Option

Description

privperms

Enables the application with the read, write, and ownership permissions for the specified directory or file.

perms

Enables the application to assign the permissions of a specified directory or file.

read

Enables the application to assign the read permission for a specified directory or file.

write

Gives the application the create and write permissions for the specified directory or file.

unlink

Gives the application the deletion rights for the specified directory or file.

mknod

Enables the application to create system files in the specified directory.

exec

Enables the application to execute the shared files and files for which the application does not have read and write permission.

unsafe

Enables the application to execute any file that does not inherit the policy.

link

Enables the application to create a symbolic link or hard link to another file.

log[=<0-9>]

Enables the application to audit system calls, with an optional risk value of 0-9.

all

Enables the application to have all permissions.

You can use wildcards, regular expressions, and strings in the Path policy. For example, using the word default in the following example specifies the default policy.

path default all:log
path /opt/oracle/private/** !all:log=9

5.6.10 Finding a Rule

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

To find a rule from the entire list of rules, click Find Rule in the task pane.

or

To find a rule in a set of rules, select the parent rule, then click Find Rule.

In the Rule Filter field, specify the name of the rule you are looking for, then select Find.

You can use wildcard characters * and ?. For example, rul* finds the first rule beginning with “rul”. This field is case sensitive.

If the rule name you are looking for is displayed, double-click it to return to the navigation pane with the rule selected, or click Close to return to the navigation pane without a rule selected.

5.6.11 Moving a Rule

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule you want to move.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.

Drag the selected rule to the location you want.

5.6.12 Copying a Rule

You can create a copy of an existing rule in your rule hierarchy, so you can use the same rule in more than one place in the hierarchy, or so you can create a new rule based on your existing rule.

NOTE:If you want to use the same rule in more than one place and you want any changes you make to the rule to be reflected in the other copy or copies, you should link the rule instead. See Linking a Rule for details.

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule you want to copy.

To select multiple rules in the same group, make sure the rules are displayed in the right hand pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.

To create the copy, press the Ctrl key and drag the selected rule to the desired location

(Optional) Use the Modify Rule option to rename or modify the copy.

Move the rule to the correct position according to the order in which you want to process your rules. See Adding a Rule for details.

5.6.13 Linking a Rule

If you want a specific rule to be used in different places in your rules hierarchy, you can create a linked rule. Any changes you make to the linked rule are reflected in all the instances of the rule in your hierarchy. If you simply copy the rule, any changes made to the original rule or to one of its copies are not reflected in the other copies.

Changes to sub-rules of a linked rule are not linked. For example if you add or modify a rule under a linked rule, the change is not reflected in other instances of the linked rule.

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule you want to link.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.

To create the links, press the Ctrl key and the Shift key at the same time, then drag the selected rule to the location you want.

A linked rule is displayed with an arrow .

5.6.14 Deleting a Rule

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule you want to delete.

To select multiple rules in the same group, make sure the rules are displayed in the right pane of the navigation pane, then press the Ctrl key and select the required rules one at a time, or press the Shift key to select a consecutive list of rules.

Click Delete Rules in the task pane.

Click Finish to delete the rule and all rule children.

5.6.15 Viewing Pseudocode

The pseudocode for a rule provides a simplified representation of the actual code that is processed when the rule is activated. For complex rules, this can assist you with understanding what happens in different situations.

To view the pseudocode for a rule:

Click Command Control on the home page of the console.

Click Rules in the navigation pane.

Select the rule for which you want to view the pseudocode.

Click Pseudocode in the task pane.

You can copy the pseudocode by using Ctrl+A or Ctrl+C, then paste it into a document for printing.